Skip to content

No remote wipe for BYOD iPhones #22882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Sampfluger88 opened this issue Oct 11, 2024 · 3 comments
Open

No remote wipe for BYOD iPhones #22882

Sampfluger88 opened this issue Oct 11, 2024 · 3 comments

Comments

@Sampfluger88
Copy link
Member

Sampfluger88 commented Oct 11, 2024
edited by noahtalerman
Loading

  • @mikermcneil : I want to be able to disable remote wipe for a given team to be able to; as an admin, disable this one particular feature that could wipe your pictures of your kids
  • @noahtalerman: User requested this because I think we want to dogfood Fleet for BYOD iPhones but the requestor (Mike) doesn't feel comfortable enrolling their iPhone to Fleet if anyone at Fleet can intentionally or accidentally remove all pictures of their kids from their iPhone.
    • @allenhouchins: End users also expect that their organization won't be able to see all apps installed. Only the ones delivered by Fleet.
    • @allenhouchins: Apple has designed the new account driven user enrollment to have these permissions: https://support.apple.com/guide/deployment/user-enrollment-and-mdm-dep23db2037d/web
    • @noahtalerman: In the interim we could tweak the enrollment profile that is downloaded when the end user navigates to the BYOD enrollment page.
    • @noahtalerman: Eventually Fleet might present the IT admin the option to choose "BYOD" v. "Company-owned" (aka personal v. corporate) in the "Add hosts" modal experience. If they choose personal, then they'll be presented w/ a link that presents the end user w/ a download link. The download link gives the end user a profile that doesn't include wipe permissions.

User stories
@Sampfluger88 Sampfluger88 added #g-digital-experience https://fleetdm.com/handbook/digital-experience :product Product Design department (shows up on 🦢 Drafting board) ~feature fest Will be reviewed at next Feature Fest labels Oct 11, 2024
@allenhouchins
Copy link
Member

A couple of things for us to think through. Our current BYOD solution is not really BYOD otherwise this would not be a problem. Our current BYOD solution is user-initiated enrollment with full MDM capabilities. This is supposed to be used for companies that have devices that aren't being automatically managed by ABM/DEP. The issue around admins have pervasive permissions and capabilities would be address if we supported User Enrollment (true BYOD). I am concerned that just hiding Wipe from the UI would not address the potential issue being raised since the profile being enrollment profile being installed in this method would still have the rights to wipe the device. We would likely have to change the rights management of the enrollment profile that gets installed to fully block wipe capabilities which would mean a re-enrollment of the device. It also means that the customers that want user-initiated enrollment with full MDM capabilities would lose this ability without creating some UI to have multiple user-initiated enrollment workflows.

@Sampfluger88 Sampfluger88 removed the #g-digital-experience https://fleetdm.com/handbook/digital-experience label Oct 15, 2024
@noahtalerman
Copy link
Member

Problem

Mike: I want to be able to disable remote wipe for a given team (eg byod devices. Could even call it “BYOD mode”— but simplest step is to be able to; as an admin, disable this one particular feature that could wipe your pictures of your kids

What have you tried?

Potential solutions

What is the expected workflow as a result of your proposal?

@noahtalerman noahtalerman changed the title Mike: I want to be able to disable remote wipe for a given team to be able to; as an admin, disable this one particular feature that could wipe your pictures of your kids No remote wipe for BYOD iPhones Oct 18, 2024
@noahtalerman noahtalerman removed the :product Product Design department (shows up on 🦢 Drafting board) label Oct 18, 2024
@noahtalerman noahtalerman mentioned this issue Oct 25, 2024
Open
17 tasks
@noahtalerman noahtalerman added Epic DO NOT USE. Auto-created by ZenHub, cannot be disabled. and removed ~feature fest Will be reviewed at next Feature Fest Epic DO NOT USE. Auto-created by ZenHub, cannot be disabled. labels Oct 25, 2024
@marko-lisica
Copy link
Member

Hey @Sampfluger88, we decided to drop #23242 because none of our customers requested this feature. We're planning to bring #27390 into the sprint starting on May 5.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@allenhouchins @noahtalerman @marko-lisica @Sampfluger88